Hej
Apropos de sidste dages snak omkring virus, så fandt jeg denne her 'lille' artikel
omkring emnet. Selvom den ikke er af allernyeste dato, så er der en masse links og
informationer omkring Mac og virus.
mvh. Erik Richard
David Harley wrote:
> Archive-name: computer-virus/macintosh-faq
> Posting-Frequency: Fortnightly
> Last-modified: Fri, 1 Jan 2000 19:14 GMT
> URL:
http://www.sherpasoft.org.uk/MacSupporters/macvir.faq
> Copyright: Copyright 1996-2000 by David Harley and contributors
> Maintainer: David Harley <D.Harley@icrf.icnet.uk>
>
> Viruses and the Macintosh
> =========================
> by David Harley
> Version 1.6b: 7th January 2000
>
> Significant changes from the previous version are flagged with +
> symbols in the first two columns at the start of the relevant line
> or section. Amendments of minor grammatical or syntactical errors
> are not flagged unless they affect factual accuracy or clarity.
>
> Sections tagged with [DH] or [SL] are hangovers from the time when
> maintenance of the FAQ was shared between David Harley and Susan Lesch,
> and usually denote personal opinions the originator didn't feel the other
> maintainer should be held responsible for. Untagged sections using
> the first person are usually attributable to David Harley.
>
> This version of the FAQ primarily reflects my involvement in setting
> up an information resource at ICSA. This will affect the availability
> of the FAQ. The next version will require extensive URL checking,
> and will probably introduce major formatting changes.
>
> David Harley
>
>
> Table of Contents
> =================
>
> 1.0 Copyright Notice
> 2.0 Preface
> 3.0 Availability of this FAQ
> 4.0 Mission Statement
> 5.0 Where to get further information
> 5.1 Computer Virus FAQs
> 5.2 EICAR
> 5.3 "Robert Slade's Guide to Computer Viruses"
> 5.4 Web sites
> 5.5 Virus Bulletin
> 5.6 Macro virus information resources
> 5.7 Other resources
> 6.0 How many viruses affect the Macintosh?
> 7.0 What viruses can affect Mac users?
> 7.1 Mac-specific system and file infectors
> 7.2 HyperCard Infectors
> 7.3 Mac Trojan Horses
> 7.4 Macro viruses, trojans, variants
> 7.5 Other Operating Systems, emulation on a Mac
> 7.6 AutoStart 9805 Worms
> 7.7 Esperanto.4733
> 8.0 What's the best antivirus package for the Macintosh?
> 8.1 Microsoft's Protection Tools
> 8.2 Disinfectant Retired
> 8.3 Demo Software
> 8.4 Other freeware/shareware packages
> 8.5 Commercial Packages
> 8.6 Contact Details
> 9.0 Welcome Datacomp
> 10.0 Hoaxes and myths
> 10.1 Good Times virus
> 10.2 Modems and Hardware viruses
> 10.3 Email viruses
> 10.4 JPEG/GIF viruses
> 10.5 Hoaxes Help
> 11.0 Glossary
> 12.0 General Reference Section
> 12.1 Mac Newsgroups
> 12.2 References and Publications
> 13.0 Mac Troubleshooting
>
>
> 1.0 Copyright Notice
> =====================
>
> Copyright on this document remains with the author(s), and all
> rights are reserved. However, it may be freely distributed and
> quoted - accurately, and with due credit.
>
> It may not be reproduced for profit or distributed in part or as a
> whole with any product for which a charge is made, except with the
> prior permission of the copyright holder(s). To obtain such
> permission, please contact the maintainer of the FAQ.
>
> Primary author and maintainer of this document is David Harley,
> Comments and additional material have been received with gratitude
> from Ronnie Sutherland, Henri Delger, Mike Groh and Eugene Spafford.
> Thanks to Bruce Burrell, Michael Wright, Peter Gersmann, David Miller,
> Ladd Van Tol, Eric Hildum, Jeremy Goldman, Kevin White, Bill
> Jackson, Robert Slade, Robin Dover, and John Norstad for their
> comments and suggestions. Special thanks to Susan Lesch for her
> contributions, editing, and maintenance chores as co-maintainer.
>
>
> 2.0 Preface
> ============
>
> This document is intended to help individuals with computer
> virus-related problems and queries, and clarify the issue
> of computer viruses on Macintosh platforms. It should *not* be
> regarded as being in any sense authoritative, and has no legal
> standing. The authors accept no responsibility for errors or
> omissions, or for any ill effects resulting from the use of any
> information contained in this document.
>
> Corrections and additional material are welcome, especially if
> kept polite.... Contributions will, if incorporated, remain the
> copyright of the contributor, and credited accordingly within
> the FAQ.
>
> David Harley <D.Harley@icrf.icnet.uk>
>
>
> 3.0 Availability of this FAQ
> =============================
>
> ++The reference site for this FAQ is now
www.icsa.net. However, my own
> site at <
http://www.sherpasoft.org.uk/MacSupporters/> will be the
> first place new versions will be posted.
>
> It's also available from Henri Delger's Prodigy Anti-Virus Center
> file library, as is the alt.comp.virus FAQ. It will probably be available
> shortly from <
www.eicar.dk>
>
> There are HTML versions at:
> <
http://www.cis.ohio-state.edu/hypertext/faq/usenet/computer-virus
> /macintosh-faq/faq.html>
> <
http://www.faqs.org/faqs/computer-virus/macintosh-faq/>
> <
http://emt.doit.wisc.edu/macvir/macvir.html>
>
> I have no control over the content of these sites, and can't guarantee
> that they're up-to-date.
>
>
> 4.0 Mission Statement
> ======================
>
> This document is a little different to the alt.comp.virus FAQ,
> which David Harley also co-maintains (at time of writing). It is
> concerned with one platform only, and though it deals with the
> Macintosh platform at more length than the alt.comp.virus FAQ can
> be expected to, it is a great deal shorter. Nor is there the same
> degree of urgency about the Mac virus field, though the risk
> element may be somewhat underestimated in general, at present. This
> FAQ originated from a concern over the spread of macro viruses, a
> theme that is taken up below. Since questions about Macs and
> viruses tend to appear more often in the Mac groups than
> alt.comp.virus or Virus-L, distribution of this FAQ is wider.
>
>
> 5.0 Where to get further information
> =====================================
>
> 5.1 Computer Virus FAQs
> ------------------------
> Computer Virus FAQ for New Users
> A mainly non-Mac virus FAQ posted to news.newusers.questions,
> alt.newbie, alt.newbies, alt.answers, and news.answers.
> <
http://www.faqs.org/faqs/computer-virus/new-users/>
>
> alt.comp.virus FAQ
> This is posted to alt.comp.virus approximately fortnightly. It
> includes a document that summarizes and gives contact information
> for a number of other virus-related FAQs; (not much Mac-specific
> material). The latest version is available from:
> <
http://www.sherpasoft.org.uk/acvFAQ/> but the reference version will
> eventually be the one at
www.eicar.dk (page currently under construction).
>
> VIRUS-L/comp.virus FAQ
> The Virus-L/comp.virus FAQ (also fairly low on Mac-specific
> information) is regularly posted to the comp.virus newsgroup
> (version 2.0 at time of writing). This FAQ is very long and very
> thorough. The document is subject to revision, so the file name may
> change. The latest version may be found at:
> <ftp://ftp.infospace.com/pub/virus-l/comp.virus-FAQ.09-Oct-95>
> <ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip>
>
> 5.2 EICAR
> ----------
> ++Dr Solomon's Anti-Virus Toolkit, Virex, and NAV (Norton AntiVirus
> for Macintosh) now support the EICAR test. This article by
> Paul Ducklin of Sophos explains the EICAR test file:
> <
http://www.eicar.org/anti_virus_test_file.htm>. [SL]
>
> 5.3 "Robert Slade's Guide to Computer Viruses"
> -----------------------------------------------
> The disk included with the 2nd Edition of this excellent general
> resource includes most of the information available at the
> University of Hamburg (see 5.5). The book also contains a
> reasonable quantity of Mac-friendly information. The disk includes
> a copy of Disinfectant 3.6, which is now out-of-date -- 3.7.1 is
> the latest and final release. For more information about this book:
> <
http://www.amazon.com/exec/obidos/ISBN=0387946632/> [Springer]
>
> ++Very few books primarily about computer viruses deal at any length
> with Mac viruses (I can't think of one, at present). Some general
> books on the Mac touch on the subject, but none I can think of add
> anything useful. Some of the "Totally Witless User's Guide
> to......." books dealing with security in general include
> information on PC -and- Mac viruses. Unfortunately, the quality of
> virus-related information in such publications is generally low, and
> there are few or no books on computer viruses in general which are
> both recent -and- accurate.
>
> 5.4 Web sites
> --------------
> Many major vendors have a virus information database online on
> their Web sites. Symantec (
www.symantec.com), Network Associates
> (
www.nai.com), Sophos (
www.sophos.com) and Dr. Solomon's
> (
www.drsolomon.com) include Macintosh virus information.
>
> Precise URLs tend to come and go, but you might like to try the
> following:
>
> Symantec Antivirus Research Center
> Virus Encyclopedia based on Project VGrep: huge, and now has a
> search engine. Probably the most complete [SL]. But not always the
> most accurate [DH].
> <
http://www.symantec.com/avcenter/vinfodb.html>
>
> Network Associates, formerly McAfee Associates:
> Virus Information Library
> <
http://www.nai.com/vinfo/>
> Macintosh Viruses
> <
http://www.nai.com/vinfo/f_13707.asp>
>
> Sophos Plc
> <
http://www.sophos.com/>
>
> About.com "Macintosh Virus Desriptions"
> Part of work in progress by Ken Dunham
> + <
http://antivirus.about.com/library/blenmac.htm> (new domain name)
>
> Mac Virus
> ++[Site closed 5th September 1999]
> <
http://www.macvirus.com/reference/viruses.html>
>
> Dr Solomon's "Mac Viral Zoo"
> Starting to go out of date
> <
http://www.drsolomon.com/products/virex/zoo/maczoopg.html>
>
> ++Keep watching <
www.icsa.org>
>
> 5.5 Virus Bulletin
> -------------------
> The expensive (but, for the professional, essential) periodical
> Virus Bulletin includes Mac-specific information from time to time.
> However, if you have no interest in PC issues, you probably won't
> consider it worth the expense.
>
> Virus Bulletin Ltd
> The Pentagon
> Abingdon
> OX14 3YP
> England
>
> +44 1235 555139
> <
http://www.virusbtn.com/>
>
> The proceedings of the 1997 Virus Bulletin conference contained a
> paper by David Harley which significantly expands on many of the
> issues addressed in this FAQ. Contact Virus Bulletin for further
> information on the annual conference and on obtaining the
> proceedings. The paper can also be found (by permission of Virus
> Bulletin) at the author's website <
http://www.sherpasoft.org.uk/MacSupporters/>
> and at <
http://www.icsa.net/>
>
> 5.6 Macro virus information resources
> --------------------------------------
> ++University of Hamburg Virus Test Center Macro Virus List is the
> definitive listing. All known macro viruses, some only found in
> research labs, some in the wild. Doesn't include information on
> individual viruses apart from name and platform, and somewhat
> irregularly maintained.
> <ftp://agn-
www.informatik.uni-hamburg.de/pub/texts/macro/>
> <
http://agn-www.informatik.uni-hamburg.de/vtc/eng.htm>
>
> Other Sources:
> <
http://www.drsolomon.com/>
> <
http://www.datafellows.com/vir-info/>
> <
http://www.symantec.com/avcenter/>
> <
http://www.nai.com/>
> <
http://www.avpve.com/>
> <
http://www.sophos.com/> (under Virus Information)
>
> [The following absolute URLs may change: such is the way of Web
> administrators..... If you get an error message, try the first part
> of the URL, e.g. <
http://www.nai.com/> and drill down from there.]
>
> Dr Solomon's Software Ltd.
> <
http://www.drsolomon.com/vircen/enc/>
>
> Central Command
> <
http://www.avpve.com/viruses/macro/>
>
> Network Associates
> <
http://www.nai.com/vinfo/f_3057.asp>
>
> Data Fellows
> <
http://www.datafellows.com/macro/word.htm>
>
> ++Richard Martin put together an FAQ on the subject of Word viruses.
> It's well out-of-date, though, and was always inaccurate in some
> respects.
> <ftp.gate.net/pub/users/ris1/word.faq>
> ++N.B.This URL may be out of date. There is a copy of what I believe
> to be the last released version at SherpaSoft:
> <
http://www.sherpasoft.org.uk/anti-virus/wordvirus.FAQ>
>
> 5.7 Other resources
> --------------------
>
> There are excellent pages on HyperCard viruses at HyperActive
> Software. There is information on HyperCard infectors, a link to
> Bill Swagerty's free Vaccine utility for detecting and cleaning
> them, a note on false positives reported by commercial software,
> inoculation, and a free HyperCard virus detection service.
> <
http://www.hyperactivesw.com/Virus1.html>
>
> The CIAC virus database includes entries for PC, Macintosh, and a
> number of other platforms. The Macintosh section also includes a
> number of joke programs and one or two apparent hoaxes.
> <
http://ciac.llnl.gov/ciac/CIACVirusDatabase.html>
>
> Virus Test Center, Hamburg: AntiVirus Catalog/CARObase early work
> <ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/>
> <ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/>
> <ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/>
> These links may be out-of-date: if they don't work, try
> <ftp://agn-
www.informatik.uni-hamburg.de>
>
> Last we checked [03-Sep-97], these sites probably need updating,
> though some older files do have historical value. Info-Mac mirrors
> have Macintosh information, but includes some outdated virus
> information and software at this writing; still, always worth a
> visit.
> <ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/>
> <
http://hyperarchive.lcs.mit.edu/HyperArchive/Abstracts/vir
> /HyperArchive.html>
>
> Also of interest, again sometimes outdated:
> <
http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html>
> <
http://www.unt.edu/virus/macgeneral.html>
>
> Kevin Harris's Virus Reference was last updated 31-Aug-95. This
> HyperCard stack requires HyperCard 2.1 or later.
> <ftp://mirrors.aol.com/pub/info-mac/vir/virus-reference-216-hc.hqx>
>
> 6.0 How many viruses affect the Macintosh?
> ===========================================
>
> There are around 40 Mac-specific viruses and related threats.
>
> ++Mac users with Word 6 or versions of Word/Excel supporting Visual Basic
> for Applications, however, are vulnerable to infection by macro
> viruses which are specific to these applications. Indeed, these
> viruses can, potentially, infect other files on any hardware
> platform supporting these versions of these applications. I don't
> know of a macro virus with a Mac-specific payload that actually
> works at present, but such a payload is entirely possible.
> ++Office 98 applications are in principle vulnerable to most of the
> threats to which Office 97 applications are vulnerable. I'll return
> to this subject when and if time allows. [DH]
>
> Word Mac version 5.1 and below do not support WordBasic, and are
> not, therefore, vulnerable to direct infection. Not only do these
> versions not only understand embedded macros, but they can't read
> the Word 6 file format unaided. There is, however, at least one
> freeware utility which allows Word 5.x users to read Word 6 files.
> This will not support execution of Word 6 (or WinWord 2) macros in
> Word 5.x, so I would not expect either an infection routine or a
> payload routine to be able to execute within this application.
>
> However, Word 5.x users may contribute indirectly to the spread of
> infected files across platforms and systems, since it is perfectly
> possible for a user whose own system is uninfectable to act as a
> conduit for the transmission of infected documents, whether or not
> s/he reads it personally.
>
> Files infected with a PC-specific file virus (this excludes macro
> viruses) can only execute on a Macintosh running DOS or DOS/Windows
> emulation, if then. They can, of course, spread across platforms
> simply by copying infected files from one system to another.
>
> DOS diskettes infected with a boot sector virus can be read on a
> Mac with Apple File Exchange, PC Exchange, DOS Mounter etc. without
> (normally) risk to the Mac. However, leaving such an infected disk
> in the drive while booting an emulator such as SoftPC can mean that
> the virus attempts to infect the logical PC drive with
> unpredictable results.
>
> I am aware of at least one instance of a Mac diskette which, when
> read on a PC running a utility for reading Mac-formatted disks
> after being infected with a boot-sector infector, became unreadable
> as a consequence of the boot track infection.
>
> Some Mac viruses may damage files on Sun systems running MAE or
> AUFS.
>
>
> 7.0 What viruses can affect Mac users?
> =======================================
>
> Not all variants are listed here. It was originally intended to
> reference all the major variants at least by name eventually, but
> since the information is of academic interest at best to most users
> (and available elsewhere anyway), it's no longer considered a
> priority. The main problem affecting Mac users nowadays is the
> spread of macro viruses, and I can't possibly find time to
> catalogue them individually, so they are only considered generally.
> Native Mac viruses are rather rarely seen nowadays, and most people
> don't need to know about them in detail -- in fact, what they need
> most is to know that their favoured antivirus software will deal
> with them. Note that I'm not primarily in the business of hands-on
> virus analysis, and cannot accept responsibility for descriptive errors
> based on third-party information. [DH]
>
> The following varieties are listed below:
> 7.1 Mac-specific system and file infectors
> 7.2 HyperCard Infectors
> 7.3 Mac Trojans
> 7.4 Macro viruses, trojans, variants
> 7.5 Other Operating Systems, emulation on a Mac
> 7.6 AutoStart 9805 Worms
> 7.7 Esperanto 4733
>
> 7.1 Mac-specific system and file infectors
> -------------------------------------------
> AIDS - infects application and system files. No intentional damage.
> (nVIR B strain)
>
> Aladin - close relative of Frankie
>
> Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't spread under
> system 7.x, or System 6 under MultiFinder. Can damage applications
> so that they can't be 100% repaired.
>
> CDEF - infects desktop files. No intentional damage, and doesn't
> spread under system 7.x.
>
> CLAP: nVIR variant that spoofs Disinfectant to avoid detection
> (Disinfectant 3.6 recognizes it).
>
> Code 1: file infector. Renames the hard drive to "Trent Saburo".
> Accidental system crashes possible.
>
> Code 252: infects application and system files. Triggers when run
> between June 6th and December 31st. Runs a gotcha message ("You
> have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks...
> [etc.]"), then self-deletes. Despite the message, no intentional
> damage is done, though shutting down the Mac instead of clicking to
> continue could cause damage. Can crash System 7 or damage files,
> but doesn't spread beyond the System file. Doesn't spread under
> System 6 with MultiFinder beyond System and MultiFinder. Can cause
> various forms of accidental damage.
>
> Code 9811: hides applications, replacing them with garbage files
> named "something like 'FIDVCXWGJKJWLOI'." According to Ken Dunham
> who reported this virus in November, "The most obvious symptom of
> the virus is a desktop that looks like electronic worms and a
> message that reads 'You have been hacked by the Pretorians.'"
>
> Code 32767: once a month tries to delete documents. This virus is
> not known to be in circulation.
>
> Flag: unrelated to WDEF A and B, but was given the name WDEF-C in
> some anti-virus software. Not intentionally damaging but when
> spreading it overwrites any existing 'WDEF' resource of ID '0', an
> action which might damage some files. This virus is not known to be
> in circulation.
>
> Frankie: only affects the Aladdin emulator on the Atari or Amiga.
> Doesn't infect or trigger on real Macs or the Spectre emulator.
> Infects application files and the Finder. Draws a bomb icon and
> displays 'Frankie says: No more piracy!"
>
> Fuck: infects application and System files. No intentional damage.
> (nVIR B strain)
>
> Init 17: infects System file and applications. Displays message
> "From the depths of Cyberspace" the first time it triggers.
> Accidental damage, especially on 68K machines.
>
> Init 29 (Init 29 A, B): Spreads rapidly. Infects system files,
> applications, and document files (document files can't infect other
> files, though). May display a message if a locked floppy is
> accessed on an infected system 'The disk "xxxxx" needs minor
> repairs. Do you want to repair it?'. No intentional damage, but can
> cause several problems - Multiple infections, memory errors, system
> crashes, printing problems, MultiFinder problems, startup document
> incompatibilities.
>
> Init 1984: Infects system extensions (INITs). Works under Systems 6
> and 7. Triggers on Friday 13th. Damages files by renaming them,
> changing file TYPE and file CREATOR, creation and modification
> dates, and sometimes by deleting them.
>
> Init-9403 (SysX): Infects applications and Finder under systems 6
> and 7. Attempts to overwrite whole startup volume and disk
> information on all connected hard drives. Only found on Macs
> running the Italian version of MacOS.
>
> Init-M: Replicates under System 7 only. Infects INITs and
> application files. Triggers on Friday 13th. Similar damage
> mechanisms to INIT-1984. May rename a file or folder to "Virus
> MindCrime". Rarely, may delete files.
>
> MacMag (Aldus, Brandow, Drew, Peace): first distributed as a
> HyperCard stack Trojan, but only infected System files. Triggered
> (displayed a peace message and self-deleted on March 2nd 1988, so
> very rarely found.
>
> MBDF (A,B): originated from the Tetracycle, Tetricycle or
> "tetris-rotating" Trojan. The A strain was also distributed in
> Obnoxious Tetris and Ten Tile Puzzle. Infect applications and
> system files including System and Finder. Can cause accidental
> damage to the System file and menu problems. A minor variant of
> MBDF B appeared in summer 1997: Disinfectant and Virex have been
> updated accordingly.
>
> MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect System file
> and application files (D doesn't infect System). No intentional
> damage, but can cause crashes and damaged files.
>
> MDEF-E and MDEF-F: described as simple and benign. They infect
> applications and system files with an 'MDEF' resource ID '0', not
> otherwise causing file damage. These viruses are not known to be in
> circulation.
>
> nCAM: nVIR variant
>
> nVIR (nVIR A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu): infect
> System and any opened applications. Extant versions don't cause
> intentional damage. Payload is either beeping or (nVIR A) saying
> "Don't panic" if MacInTalk is installed.
>
> nVIR-f: nVIR variant.
>
> prod: nVIR variant
>
> Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack two
> applications that were never generally released. Can cause
> accidental damage, though - system crashes, problems printing or
> with MacDraw and Excel. Infects applications, Finder, DA Handler.
>
> SevenDust-A through G (MDEF 9806-A through D, also known as 666, E
> was at first called "Graphics Accelerator"): a family of five
> viruses which spread both through 'MDEF' resources and a System
> extension created by that resource. The first four variants are not
> known to be in circulation. Two of these viruses cause no other
> damage. On the sixth day of the month, MDEF 9806-B may erase all
> non-application files on the current volume. The SARC encyclopedia
> calls MDEF 9806-C, "polymorphic and encrypted, no payload," and
> MDEF 9806-D, "encrypting, polymorphic, symbiotic," and says the
> symbiotic part, "alters a 'WIND' resource from the host
> application." SevenDust E, not to be confused with the legitimate
> ATI driver "Graphics Accelerator", began as a trojan horse released
> to Info-Mac and deleted there on or about September 26, 1998. Takes
> two forms, 'INIT' resource ID '33' in an extension named
> "\001Graphics Accelerator" and an 'MDEF' resource ID '1' to '255'.
> Between 6:00 a.m. and 7:00 a.m. on the sixth and twelfth day of any
> month, the virus will try to delete all non-application files on
> the startup disk. John Dalgliesh describes "Graphics Accelerator"
> on his Web page for AntiGax, a free anti-SevenDust E utility; any
> errors here in translation are not his. SevenDust F uses a trojan
> "ExtensionConflict", common extensions names, and creator 'ACCE'.[SL]
>
> T4 (A, B, C, D): infects applications, Finder, and tries to modify
> System so that startup code is altered. Under System 6 and 7.0,
> INITs and system extensions don't load. Under 7.0.1, the Mac may be
> unbootable. Damage to infected files and altered System is not
> repairable by Disinfectant. The virus masquerades as Disinfectant,
> so as to spoof behaviour blockers such as Gatekeeper. Originally
> included in versions 2.0/2.1 of the public domain game GoMoku.
>
> T4-D spreads from application to application on launch by appending
> itself to the 'CODE' resource. Deletes files other than the System
> file from the System Folder, and documents, and is termed dangerous.
> The D strain is not known to be in circulation [SL].
>
> WDEF (A,B): infects desktop file only. Doesn't spread under System
> 7. No intentional damage, but causes beeping, crashes, font
> corruption and other problems.
>
> zero: nVIR variant.
>
> Zuc (A, B, C): infects applications. The cursor moves diagonally
> and uncontrollably across the screen when the mouse button is held
> down when an infected application is run. No other intentional
> damage is done.
>
> 7.2 HyperCard infectors
> ------------------------
> These are a somewhat esoteric breed, but a couple have been seen
> since Disinfectant was last upgraded in 1995, and most of the
> commercial scanners detect them.
>
> Dukakis - infects the Home stack, then other stacks used
> subsequently. Displays the message "Dukakis for President", then
> deletes itself, so not often seen.
>
> HC 9507 - infects the Home stack, then other running stacks and
> randomly chosen stacks on the startup disk. On triggering, displays
> visual effects or hangs the system. Overwrites stack resources, so
> a repaired stack may not run properly.
>
> HC 9603 - infects the Home stack, then other running stacks. No
> intended effects, but may damage the Home stack.
>
> HC "Two Tunes" (referred to by some sources as "Three Tunes") -
> infects stack scripts. Visual/Audio effects: 'Hey, what are you
> doing?' message; plays the tune "Muss I denn"; plays the tune
> "Behind the Blue Mountains"; displays HyperCard toolbox and pattern
> menus; displays 'Don't panic!' fifteen minutes after activation.
> Even sources which describe this virus as "Three Tunes" seem to
> describe the symptoms consistently with the description here, but
> we will, for completeness, attempt to resolve any possible
> confusion when time allows. This virus has no known with the PC
> file infector sometimes known as Three Tunes.
>
> MerryXmas - appends to stack script. On execution, attempts to
> infect the Home stack, which then infects other stacks on access.
> There are several strains, most of which cause system crashes and
> other anomalies. At least one strain replaces the Home stack script
> and deletes stacks run subsequently. Variants include Merry2Xmas,
> Lopez, and the rather destructive Crudshot. [Ken Dunham discovered
> the merryXmas virus. His program merryxmasWatcher 2.0 was very
> popular and still can eradicate the most common two strains,
> merryXmas and merry2Xmas. merryxmasWatcher 2.0 is outdated for the
> rest this family.]
>
> Antibody is a recent virus-hunting virus which propagates between
> stacks checking for and removing MerryXmas, and inserting an
> inoculation script.
>
> Independance (sic) Day - reported in July, 1997. It attempts to
> to be destructive, but fortunately is not well enough written to be
> more than a nuisance. More information at:
> <
http://www.hyperactivesw.com/Virus1.html#IDay>
>
> Blink - reported in August, 1998. Nondestructive but spreads;
> infected stacks blink once per second starting in January, 1999.
>
> 7.3 Mac Trojan Horses
> ----------------------
> These are often unsubtle and immediate in their effects: while
> these effects may be devastating, Trojans are usually very
> traceable to their point of entry. The few Mac-specific Trojans are
> rarely seen, but of course the commercial scanners generally detect
> them.
>
> ChinaTalk - system extension - supposed to be sound driver, but
> actually deletes folders.
>
> CPro - supposed to be an update to Compact Pro, but attempts to
> format currently mounted disks.
>
> + ExtensionConflict - supposed to identify Extensions conflicts, but
> installs one of the six SevenDust a.k.a. 666 viruses.
>
> FontFinder - supposed to lists fonts used in a document, but
> actually deletes folders.
>
> MacMag - HyperCard stack (New Apple Products) that was the origin
> of the MacMag virus. When run, infected the System file, which then
> infected System files on floppies. Set to trigger and self-destruct
> on March 2nd, 1988, so rarely found.
>
> Mosaic - supposed to display graphics, but actually mangles
> directory structures.
>
> NVP - modifies the System file so that no vowels can be typed.
> Originally found masquerading as 'New Look', which redesigns the
> display.
>
> Steroid - Control Panel - claims to improve QuickDraw speed, but
> actually mangles the directory structure.
>
> Tetracycle - implicated in the original spread of MBDF
>
> Virus Info - purported to contain virus information but actually
> trashed disks. Not to be confused with Virus Reference.
>
> Virus Reference 2.1.6 mentions an 'Unnamed PostScript hack' which
> disables PostScript printers and requires replacement of a chip on
> the printer logic board to repair. A Mac virus guru says:
>
> "The PostScript 'Trojan' was basically a PostScript job that
> toggled the printer password to some random string a number of
> times. Some Apple laser printers have a firmware counter that
> allows the password to only be changed a set number of times
> (because of PRAM behavior or licensing -- I don't remember which),
> so eventually the password would get "stuck" at some random string
> that the user would not know. I have not heard any reports of
> anyone suffering from this in many years."
>
> AppleScript Trojans - A demonstration destructive compiled
> AppleScript was posted to the newsgroups alt.comp.virus,
> comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh,
> microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and
> symantec.support.mac.sam.general on 16-Aug-97, apparently in
> response to a call for help originally posted to alt.comp.virus on
> 14-Aug-97 and followup on 15-Aug-97. On 03-Sep-97, MacInTouch
> published Xavier Bury's finding of a second AppleScript trojan
> horse, which, like the call for help followup, mentioned Hotline
> servers. It reportedly sends out private information while running
> in the background. A note to users from Hotline Communications CEO
> Adam Hinkley is posted at
> <
http://www.macvirus.com/news/press/970903a.html>.
> AppleScripts should be downloaded only from known trusted sources.
> It is nigh impossible for an average person to know what any given
> compiled script will do.
>
> 7.4 Macro viruses, trojans, variants
> -------------------------------------
> At the time of the longstanding second-to-last upgrade of
> Disinfectant (version 3.6 in early 1995), there were no known macro
> viruses in the wild, apart from HyperCard infectors. In any case,
> Disinfectant was always intended to deal with system viruses, not
> trojans or macro/script viruses. However, many users are unaware of
> these distinctions and still assume that Disinfectant is a complete
> solution, even after its effective demise (in fact, there were
> people still relying on Gatekeeper long after its author disowned
> it....).
>
> Unfortunately, the number of known macro viruses runs into several
> thousand, though the number in the wild is far fewer.
>
> Most macro viruses (if they have a warhead at all) target Intel
> platforms and assume FAT-based directory structures, so they
> usually have no discernible effect on Macs when they trigger.
> Viruses that manipulate text strings within a document may work
> just as well on a Macintosh as on a PC.
>
> In any case, the main costs of virus control are not recovery from
> virus payloads, but the costs of establishing detection and
> protection (or of not establishing them). The costs of not
> establishing these measures can be considerable, irrespective of
> damage caused on infected machines, especially in corporate
> environments. Secondary distribution of infected documents may
> result in:
>
> * civil action - for instance, inadvertent distribution of an
> infected document to external organisations may be in breach of
> contractual obligations
>
> * legal action in terms of breach of data-protection legislation
> such as the UK Data Protection Act or the European Data Protection
> directive. The eighth principle of the Data Protection Act, for
> instance, requires that security measures are taken to protect
> against unauthorised access to, and alteration, disclosure and
> destruction of personal data, or its accidental loss.
>
> * damage to reputation - no legitimate organisation wants to be
> seen as being riddled with viruses.
>
> Since Word 6.x for Macintosh supports WordBasic macros, it is as
> vulnerable as Word 6.x and 7.x on Intel platforms to being infected
> by macro viruses, and therefore to generating other infected
> documents (or, strictly speaking, templates). Working Excel viruses
> are now beginning to appear also, and any future Macintosh
> application that supports Visual Basic for Applications will also
> be vulnerable. Note also that the possibility of virus-infected
> files embedded as objects in files associated with other
> applications: this possibility exists on any platform that supports
> OLE.
>
> ++Office 98 is in general vulnerable to infection by most viruses which
> affect corresponding applications in Office 97.
>
> Macro viruses are therefore highly transmissible via
> Macintoshes, even if they don't have a destructive effect on
> Motorola platforms, if there is an equivalent application
> available on the Macintosh. For instance, although Word for
> Windows versions before vs. 6 support WordBasic, Word
> versions for the Mac up to and including version 5.1 do not.
> [Thus Word 5.1 users can not be directly infected, but may,
> like anyone, pass on infected documents to vulnerable systems.]]
>
> Network Associates, Symantec, and Intego all make known-virus
> scanners that detect a range of macro viruses. Microsoft make
> available a free 'protection tool' whose effectiveness is often
> overestimated. (See below.)
>
> ++[I'm no longer able to find any reference on Intego's site to Rival:
> their efforts seems to be focused on their personal firewall for Macintosh.]
>
> For further information on specific macro viruses, try one of the
> information resources given earlier.
>
> 7.5 Other Operating Systems, emulation on a Mac
> ------------------------------------------------
> Any Mac running any sort of DOS or Windows emulation such as
> Virtual PC, SoftPC, SoftWindows, RealPC, or a DOS compatibility
> card is a potential target for any PC virus, including Boot Sector
> Infectors/Multipartites; (effects will vary). It is highly
> recommended that anyone with such a system should run a reputable,
> up-to-date PC antivirus program under emulation, as well as a good
> Mac antivirus program. [Dr. Solomon's for the Mac detected PC boot
> sector infectors as well as Mac viruses, but didn't detect PC file
> viruses (apart from macro viruses), and so was not sufficient
> protection for a Mac with DOS emulation.]
>
> Recommendations for defending PC systems or PC emulation on Macs
> are slightly out-of-scope for this FAQ. In fact, I don't know of
> any formal testing for PC antivirus software in the context of PC
> emulation on Macs. I've done some informal testing (referred to in
> another paper), but am not prepared to make vendor-specific
> recommendations on the basis of such testing. F-Prot, AVP, and Dr
> Solomon's are particularly well-regarded PC antivirus packages, of
> which some components on some platforms are available as freeware
> or for evaluation, but their efficacy in the context of PC
> emulation is not well tested or documented.
>
> To find a commercial or shareware package relevant to PCs, check
> through the independent comparative reviews sites:
> University of Hamburg Virus Test Center
> <
http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm>
> University of Tampere Virus Research Unit
> <
http://www.uta.fi/laitokset/virus/>
> Secure Computing
> <
http://www.westcoast.com/>
> Virus Bulletin
> <
http://www.virusbtn.com/>
>
> + About.com has an aggregation of PC anti-virus reviews links.
> <
http://antivirus.about.com/msub12.htm>
>
> Robert Michael Slade's lists may also be helpful.
> <
http://www.freenet.victoria.bc.ca/techrev/quickref.html>
> <
http://www.freenet.victoria.bc.ca/techrev/rms.html>
>
> 7.6 AutoStart 9805 Worms
> -------------------------
> AutoStart 9805 is not a virus, but a worm: that is, it replicates
> by copying itself, but doesn't attach itself parasitically to a
> host program. The original took hold rapidly in Hong Kong and
> Taiwan in April 1998, and has been reported on at least four
> continents. In addition to the original worm, there are five
> variants. Virus Bulletin, July, 1998, includes a comprehensive
> analysis of AutoStart and some of its variants.
>
> CIAC Bulletin I-067 is based on Eugene Spafford's information
> release on the original AutoStart worm. Unfortunately,this is now a
> little out-of-date, particularly as regards the update status of
> the antivirus software it mentions. Nor does it mention any of the
> subsequently discovered variants.
> <
http://www.ciac.org/>
>
> Symptoms: Perhaps the most noticeable symptom of the worms is that
> an infected system will _lock up and churn with unexplained disk
> activity_ every 6, 10, or 30 minutes.[SL]
>
> Affected platforms: any PowerMac. Macintoshes and clones driven by
> Motorola 680x0 series CPUs can't run the replicative code. It works
> under any version of Mac OS, if QuickTime 2.0 or later is installed
> and CD-ROM AutoPlay is enabled in the "QuickTime Settings" Control
> Panel.
>
> Transmission media: HFS or HFS+ volumes (hard disks, diskettes,
> most types of removable media, even disk images). Audio CDs can't
> transmit the virus, and it isn't necessary to disable "Audio CD
> AutoPlay".
>
> Transmission method: infected media contain an invisible
> application file named "DB" or "BD" or "DELDB" in the root
> directory (type APPL, creator ????). This is an AutoStart file:
> i.e. it will run automatically if CD-ROM autoplay is enabled. If
> the host Mac isn't already infected, it copies itself to the
> Extensions folder. The new copy is renamed "Desktop Print Spooler"
> or "Desktop Printr Spooler", or "DELDesktop Print Spooler"
> respectively (type appe, creator ????). Unlike the legitimate
> Desktop Printer Spooler extension, the worm file has the invisible
> attribute set, and isn't listed as a running process by the system
> software, though it can be seen with Process Watcher or Macsbug.
> After copying itself, it reboots the system and is now launched
> every time the system restarts. At approximately 6, 10, or 30
> minute intervals, it examines mounted volumes to see if they're
> infected: if not, it writes itself to the root directory and sets
> up AutoStart (however, AutoStart won't work on a server volume).
>
> Damage: files with names ending "data", "cod" or "csa" are targeted
> if the data fork is larger than 100 bytes. Files with names ending
> "dat" are targeted if the whole file is c. 2Mb or larger. Targeted
> files are attacked by overwriting the data fork (up to the 1st Mb)
> with garbage.
>
> Besides the original, there are five variants: AutoStart 9805-B,
> which is less noticeable but can cause irreparable damage to files
> of type 'JPEG', 'TIFF', and 'EPSF'; AutoStart 9805-C and AutoStart
> 9805-D which do not intentionally damage data; AutoStart 9805-E
> which spreads like B and is most similar to the original; and
> AutoStart 9805-F which is most similar to A and E.
> Dr Solomon's, Sophos, and Symantec had descriptions on the Web:
> <
http://www.drsolomon.com/vircen/valerts/mac/>
> <
http://www.sophos.com/virusinfo/analyses/autostart9805.html>
> <
http://www.symantec.com/avcenter/data/autostart.9805.html>
> ++Dead Mac Virus link cleaned.
>
> Detection: updates to deal with the worms are available for Virex
> (
http://www.drsolomon.com/products/virex/), for NAV and SAM
> (
http://www.symantec.com/avcenter/download.html), and for Rival
> (
http://www.intego.com/).
>
> The last versions of VirusScan for Mac and Disinfectant did not detect
> AutoStart. [Reference to Dr Solomon's for Mac removed, as the product is
> no longer supported.]
>
> Prevention: uninfected systems can be protected by disabling the
> AutoStart option in QuickTime settings (QuickTime 2.5 or later only
> - earlier versions don't have a disable option). This should also
> prevent infection by future malware exploiting the same loophole,
> but will fail if a setup is booted from a volume with an infected
> Extensions Folder [SL].
>
> Removal: the easiest and safest method for most people will be to
> use the updated version of their favoured anti-virus software, as
> it becomes available.
>
> The worms can be also be removed manually.
> * Reboot with extensions disabled (hold down the shift key till an
> alert box tells you that extensions are off).
> * Use Find File to search all volumes for all instances of a file
> called "DB" or "BD" or "DELDB" with the invisibility attribute set
> (hold down Option key when clicking on "Name" pop-up menu to select
> for visibility). Trash 'em.
> * Use Find File to find and trash an invisible "Desktop Print
> Spooler", "Desktop Printr Spooler", or "DELDesktop Print Spooler"
> file (-not- Desktop Printer Spooler, which is a legitimate and
> usually necessary system file).
> * Empty the trash.
> * Disable AutoStart in QuickTime Settings Control Panel.
> * Restart.
>
> 7.7 Esperanto.4733
> -------------------
> This probably doesn't belong here. It's a PC file infector which
> works with a number of PC executable file formats. When it was
> first seen, it was reported to be a multiplatform virus capable of
> executing under some circumstances on Macintoshes. Subsequent
> reports indicate that this belief results from misinformation on
> the part of the author. However, at least two reputable PC
> anti-virus vendors still list it as capable of activating on a
> Macintosh. No Mac scanner is known to attempt to detect it.
>
> 8.0 What's the best antivirus package for the Macintosh?
> =========================================================
>
> As ever, we can't give a definitive answer to this. The best choice
> depends on subjective criteria and individal needs. Nonetheless,
> Here are some thoughts on the main contenders.
>
> 8.1 Microsoft's Protection Tools
> ---------------------------------
> Microsoft's Macro Virus Protection Tools originally detected
> Concept (Nuclear and DMV were also mentioned in the documentation,
> but were not identified specifically by the tools). Principally,
> they merely warned users that the document they are about to open
> contained macros and offered the choice of opening the file without
> macros, opening it with macros, or cancelling the File Open. Later
> implementations built into the application are better on
> identifying a few specific viruses and on integration into Word
> itself, but should not be relied on for 100% effective detection,
> blocking and disinfection of macro viruses. More information from
> Microsoft may be available at the addresses below.
> <
http://www.microsoft.com/office/antivirus/> (no longer accessible)
> MSN: GO MACROVIRUSTOOL
> AOL: the Word forum
> CompuServe: the Word forum
> Microsoft Product Support Services
> 206-462-9673 (WinWord)
> 206-635-7200 (Word Mac)
> email: wordinfo@microsoft.com
>
> NB The Protection Tool traps some File Open operations, but not
> all. There are a number of ways of opening a document which bypass
> it, some of which are rather commonly used (e.g. double-clicking or
> using the Recent Documents list).
>
> The Protection Tool can be used to scan for Concept-infected files,
> but there are a number of possible problems with it.
>
> * Earlier versions could only handle a limited size of directory
> tree, and ran very slowly if a large number of files required
> scanning. Speed is certainly still a problem: I can't say about the
> overflow problem.
> * Files created in Word for Windows won't be scanned until they've
> been opened in Word 6 for Mac (this is a system issue, not a bug in
> the code). However, Microsoft suggest that you open the file in
> Word for the Macintosh and save it before scanning. This will do
> the job, but will also infect your system, if the file is infected.
> If it's infected with a virus -other- than Concept, this could
> create problems if the Protection Tool is bypassed on a subsequent
> file open.
> * Infected files embedded in OLE2 files or e-mail files will not be
> detected.
> * The Microsoft tools are not useful on non-English Windows systems
> (which may be run under Virtual PC or Real PC). SCANPROT cannot
> handle non-English documents, and will hang during the scanning
> process if it encounters a document created with a non-English
> version of Word. Microsoft's Excel add-in for the Laroux macro
> virus causes multiple file open buttons to appear in non-English
> versions of Excel, and so it has worse effects than the macro virus
> itself. Again this applies to Windows emulation; however, most
> virus protection and detection products are only tested in an
> English language environment, and may cause problems on non-English
> systems. [Thanks to Eric Hildum for this information.]
>
> Windows 95 users should be aware that SCANPROT is not recommended
> for use with MS Word 7.0a for Windows with internal detection
> enabled, as these two tools will cancel each other out.
>
> The Excel add-in for Macs removes only Laroux A and B.
> <
http://www.microsoft.com/macoffice/laroux.htm>
>
> ++Office 98 moves the goalposts again. This issue will probably be
> addressed again here in more depth. In brief, Office 98 does a
> better job of implementing a primarily generic approach [i.e. "If
> it contains macros, it's suspicious: sort it out yourself...."],
> but whether this is enough is a question demanding more space and
> time than I have to spare right now. Office 97/98 include limited
> detection of a handful of known viruses during upconversion of
> macros. This is poorly implemented and in any case is only triggered
> when macros are converted to VBA from WordBasic. Vesselin Bontchev
> has considered macro upconversion at some length in papers for
> Virus Bulletin and EICAR conferences.
>
> ++Microsoft's home page has recommended using an ICSA-certified
> antivirus utility and sidesteps any hint of responsibility for any
> macro virus or SCANPROT related problems. However, ICSA does not
> currently certify Mac products, though this is being looked at.
>
> 8.2 Disinfectant
> -----------------
> [On May 6th 1998, John Norstad, author of this widely-used freeware
> package announced that it was to be retired. 3.7.1 is the latest
> and last version, and it won't be updated to detect AutoStart 9805
> or any subsequent Macintosh malware. The main reason for this is
> that he doesn't have the resources to extend its capabilities to
> detect macro viruses, which have become by far the most significant
> virus problem for most Macintosh users.
>
> This is probably a wise decision, given the number of people who
> still overestimate the effectiveness of the package in the face of
> the macro virus threat. However, the entire Macintosh community
> owes John Norstad a debt of gratitude for making it freely
> available for so long, an act of altruism which has probably
> contributed very significantly to the comparative rarity of native
> Macintosh viruses.]
>
> Disinfectant was an excellent anti-virus package with exemplary
> documentation, and didn't cost a penny: however, it didn't detect
> all the forms of malware that a commercial package usually does,
> including HyperCard infectors, most Trojans, jokes or macro
> viruses. Unlike some commercial packages, it didn't scan compressed
> files, either: compressed files had to be expanded before scanning.
> Self-extracting archives were probably best scanned before
> unpacking, then again when unpacked.
>
> Disinfectant has been available up to now from the following
> sources, but this may not continue to be the case.:
> <ftp://ftp.acns.nwu.edu/pub/disinfectant/>
> CompuServe
> GEnie
> America Online
> Calvacom
> Delphi
> BIX
> Info-Mac mirrors in the ../vir/ directory
>
> The Disinfectant README was updated to README-IMPORTANT on 6 May
> 1998, with the message, "because of the widespread and dangerous
> Microsoft macro virus problem," "...All Disinfectant users should
> switch..." to another program. README-IMPORTANT was updated again
> on 11 October 1998, adding, "In addition to the Autostart worm and
> the Microsoft macro viruses, several other new Mac viruses have
> appeared since Disinfectant's retirement in May. This makes it even
> more important that Disinfectant users switch..." to one of the
> commercial products.
> <ftp://ftp.nwu.edu/pub/disinfectant/README-IMPORTANT>
> There is a copy of the retirement announcement on the Web:
> <
http://charlotte.acns.nwu.edu/jln/d-retire.ssi>
>
> 8.3 Demo Software
> ------------------
> Symantec has a 30-day fully-functioning trialware NAV (Norton
> AntiVirus for Macintosh). Update it with current definitions.
> <
http://www.symantec.com/nav/fs_navmac5.html>
>
> Network Associates has a 30-day fully-functioning evaluation
> version of Virex 5.9.1. The Virex trial includes the application,
> not the control panel.
> <ftp://ftp.nai.com/pub/antivirus/mac/virex/>
> Update the demo with current definitions:
> <ftp://ftp.nai.com/pub/antivirus/datfiles/mac/virex/>.
>
> Sophos also has a 30-day evaluation, also fully-functioning,
> which includes the SWEEP application. The demo supports both
> English and Japanese.
> <
http://www.sophos.com/downloads/eval/savmac.html>
>
> ++Intego has a limited-function French demo of Rival, "miniRival."
> <
http://www.intego.com/demo.html> [This seems to have disappeared,
> along with Rival itself - 11-12-99]
>
> Disinfector 1.0 is described by its author as shareware. However,
> it's strictly speaking a limited-runtime demo -- it stops
> functioning after 20 trial runs on one system. It's described as a
> beta release, but the author expects users to register it at a
> charge of $30 [subsequently reduced to $15]: in return, they get a
> version which can be used an unlimited number of times. It only
> detects a handful of Mac system viruses which the author claims
> that commercial vendors have not detected, and have not been
> reported in the wild. In the early days of virus/antivirus
> technology, a number of utilities were made available which
> addressed only one or a few viruses, and a proliferation of free
> AutoStart worm detectors continues that honourable tradition.
> However, charging for this particular utility puts it into the same
> arena as the commercial scanners which detect a far wider range of
> threats and for which full support is available, an area in which
> it cannot at present compete. Disinfector was briefly available at
> Info-Mac, but has since been removed.
> ++[I suspect that this product has been removed from circulation, but
> haven't checked with the author. This section will probably be amended
> or removed in the next version of the FAQ, when I've checked.]
>
> There have also been a number of proposals since John Norstad
> announced the retirement of Disinfectant, suggesting that if the
> code was made public, it would be possible to maintain and further
> develop Disinfectant, possibly still as a freeware product. This is
> misguided, for a number of reasons.
>
> * It misses one of the main points of Norstad's announcement, which
> is to acknowledge the dangers of continuing to develop a scanner
> which detects only one class of virus, when so many people have
> laboured so long under the misapprehension that it was a complete
> solution.
> * Disinfectant -has- been developed further. VirusScan is based on
> Disinfectant technology (under licence), and NAI are in a much
> better position to develop it as commercial-grade software than a
> group of well-meaning individuals without the specialised skills
> and resources of a mainstream anti-virus development team. Indeed,
> it may be that the terms of that agreement would prevent Norstad
> from making the code public even if he wanted to (I doubt that he
> does....).
> * Making the code public, even to a limited circle, would increase
> the chances of its falling into irresponsible hands. In fact, the
> online documentation has long stated that the code for the
> detection engine is not available, though some of the interface
> code was. (I'm paraphrasing from memory: I may well check out
> exactly what it says for the next update of the FAQ.)
> * To think that a committee of well-intentioned amateurs (or a
> single ambitious amateur can develop Disinfectant to the same high
> standard that it achieved through its lifetime demonstrates a
> profound underestimation of the difficulties of maintaining (let
> alone creating) a first-class known-virus scanner. [DH] Curiously,
> the same fallacies have recently been been aired on a Unix virus
> discussion list.
>
> 8.4 Other freeware/shareware packages
> --------------------------------------
> For other freeware\shareware Mac packages, try Info-Mac mirrors
> like:
> <ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/>
>
> The University of Texas holds some older documentation on Mac
> viruses.
> <
http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html>
>
> Tracker INIT and DelProtect INIT, both by Ioannis Galidakis, were
> first released on 19-Nov-98. Tracker is a behavior blocker something
> like the retired program GateKeeper. DelProtect protects against
> malicious file deletion. Tracker is now at version 1.1. Scanner 1.1x
> also by Ioannis Galidakis was released 15-Jan-99, and is a free,
> generic, heuristic 68k virus scanner for advanced Macintosh users.
> <
http://www.crosswinds.net/athens/~jgal/>
>
> John Dalgliesh has created Agax, an extensible, free anti-virus
> program which replaces his program AntiGax, and uses plug-ins called
> "Additives." At this time, Agax will detect and try to clean only
> SevenDust, CODE 9811, and the AutoStart worms (the worm additive was
> in beta testing at the time of this writing). The author's Web page
> and documentation invite Mac programmers to contribute additives.
> <
http://www.cse.unsw.edu.au/~s2191331/agax/agax.html>
>
> The Exorcist, free from Laffey Computer Imaging, may give some (by
> one description, about 90%) protection from the SevenDust family.
> <
http://www.laffeycomputer.com/software.html>
>
> Gatekeeper was not a scanner, but a generic tool. It is no longer
> supported by its author, but is still available on some sites. It
> is probably not safe to use or rely on on modern systems, and I
> believe the author recommends that people don't attempt to use it,
> though I've been unable to contact him to get confirmation.
>
> In January 1997 Padgett Peterson, author of the PC utility
> DiskSecure, released the first version of his MacroList macro
> detection tool, which has been tested by the author on Macs (System
> 7.5 on SE/30, IIci and PowerMac) as well as Windows PCs, using
> considerably more macro viruses than Microsoft seem to have heard
> of..... The MacroList template is accessed by a button in the
> standard toolbar. This is not a virus scanner, but allows disabling
> of automacros, listing of any macros found in the current document
> etc. Version 1.10 was due for release by the time of writing
> (February 1997), and an adaptation for Office97 is in progress.
> Watch the Web page for further details. [v1.1 and the Office 97
> "late beta" were available as at 18th March 1997.] MacroList is
> freeware, but please be sure to read the TRIALS link.
> <
http://www.freivald.org/~padgett/>
> (under Anti-Virus Hobby) - NB change of URL.
>
> WormGuard by Clarence Locke is a free on-access extension that
> affords AutoStart worm protection:
> <
http://hyperarchive.lcs.mit.edu/cgi-bin/NewSearch?key=WormGuard>
>
> The following free scanners may remove AutoStart 9805 and its B, C,
> D, E, and F variants and may be useful in the absence of a
> commercial application. There are a few reported instances of
> failures by some of these programs to identify or remove the
> AutoStart worms, and it is likely that D might be mis-identified as
> C, and E may be mis-identified as the original worm. [SL]
>
> WormScanner by James Walker
> <
http://members.aol.com/jwwalker/pages/worm.html>
> Autostart Hunter by Akira Nagata
> <
http://www.nettaxi.com/citizens/yukoswrd/> (English)
> <
http://www.parkcity.ne.jp/~eyukoswrd/index_mac.html> (Japanese)
> BugScan by Mountain Ridge Dataworks (also detects SevenDust E)
> <
http://www.mrdataworks.com/bscan.htm>
> Worm Gobbler by Jim Kreinbrink
> <
http://www.lineaux.com/>
> Innoculator by MacOffice
> <
http://www.macoffice.com/innoculator.htm>
> WormFood by Doug Baer
> <
http://hyperarchive.lcs.mit.edu/cgi-bin/NewSearch?key=WormFood>
> Eradicator with update, by Uptown Solutions Ltd.
> <
http://www.uptown.com/>
>
> As stated above, one-shot solutions to a very small subset of a
> particular class of threat have a long and honourable history, and
> are very welcome when a new threat catches the antivirus developers
> on the hop (it can take some time to incorporate detection of new
> threats into the product update cycle). NB The maintainer does not
> currently have the time or resources to do full detection testing of
> these products (or any other). [DH]
>
> 8.5 Commercial Packages
> ------------------------
> Commercial packages include NAV (Norton AntiVirus for Macintosh)
> [NAV supersedes SAM (Symantec Antivirus for Macintosh)], Virex for
> Macintosh, Rival, and Sophos Anti-Virus for Macintosh (SAV).
>
> Virex, NAV, and SAM [obsolete] all address a full range of threats,
> including Trojans and macro viruses, and can do scheduled scanning
> as well as on-access (memory-resident) scanning.
>
> ++Sophos Anti-Virus for Macintosh (SAV) was upgraded in January 1999
> to include the SWEEP on-demand scanner. The shipping version can be
> downloaded for free evaluation. English and Japanese are supported.
> <
http://www.sophos.com/downloads/eval/> Stand-alone on-access scanning
> is now available in the release version. Server-based on-access scanning
> has long been available for Mac clients on NT or NetWare networks.
> The program offers customizable reporting and notification from an
> attractive interface. So far, compressed archives must be
> decompressed before scanning; I am assured that archive scanning
> will be in future versions. Complete documentation is in PDF format.
> <
http://www.sophos.com/support/docs/>
> + Sophos combines an intercept driver (InterCheck) and a scanner
> application (SWEEP). Sales are not retail, but direct or through
> the Sophos Distributor network. Free technical support is all-year
> round, any time of day. Virus identity updates are available from
> the Web between monthly CD-ROMs. Major developments in the Sophos
> product are expected, including smooth large-scale deployment and
> ease of updating over networks.[SL]
> [This section is overdue for serious refurbishment. Next FAQ release, maybe. There
> may be an issue with the Sophos control panel and so